Topology:
Use configuration from OSPFv3 task #2 as initial configuration for this task.
Requirements:
1. Configure authentication for Area 0. Authentication should apply for all existing interfaces, except segment R2-R3, in Area 0, and also for any interfaces that may be added in the future.
2. Use strongest possible authentication method.
3. OSPF packets in Area 0 (except on segment R2-R3) should have Next-Header value of 51.
4. Attacker which is capable to capture packets on segment R1-R8, should not be able to read the OSPF packets from the capture.
Solution:
Highlight the text below to reveal the solution.
This task requires understanding of OSPFv3 authentication configuration options (area vs interface) and authentication types - ESP vs AH.
Requirements #1 - authentication should be configured in Area level, to include all interfaces in the area. Configure null authentication on segment R2-R3 to exclude it from area level configuration.
Requirement #2 - SHA1 authentication method is considered stronger than MD5.
Requirement #3 - Use "ospf authentication", which uses AH header with next-deader value of 51.
Requirement #4 - Use "ospf encryption" which provides both authentication and encryption of the OSPF packets.
ipv6 router ospf 1
router-id 11.0.1.1
auto-cost reference-bandwidth 40000
area 0 authentication ipsec spi 400 sha1 7 025756085F535976141759485744465E5A53727274796166764651415B5806080A00005B554F4E0008
distance ospf external 180
!
router ospfv3 CCIE
router-id 11.0.3.3
auto-cost reference-bandwidth 40000
distance ospfv3 external 180
area 0
authentication ipsec spi 400 sha1 password 03550958525A771B1650495445415F59527D737D7862677147524054590F090901075A564E41010107
interface Loopback0
network point-to-point
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
authentication disable
!
!
area 3
virtual-link 11.0.5.5
!
interface GigabitEthernet0/0/0/2
!
!
!
This task requires understanding of OSPFv3 authentication configuration options (area vs interface) and authentication types - ESP vs AH.
Requirements #1 - authentication should be configured in Area level, to include all interfaces in the area. Configure null authentication on segment R2-R3 to exclude it from area level configuration.
Requirement #2 - SHA1 authentication method is considered stronger than MD5.
Requirement #3 - Use "ospf authentication", which uses AH header with next-deader value of 51.
Requirement #4 - Use "ospf encryption" which provides both authentication and encryption of the OSPF packets.
R1:
!ipv6 router ospf 1
router-id 11.0.1.1
auto-cost reference-bandwidth 40000
area 0 authentication ipsec spi 400 sha1 7 025756085F535976141759485744465E5A53727274796166764651415B5806080A00005B554F4E0008
distance ospf external 180
!
!
interface Ethernet1/0
ipv6 address 2001:11:0:18::1/64
ipv6 ospf encryption ipsec spi 300 esp aes-cbc 128 7 040A59555B741A1951405546405858517C7C7C7163647040534355560E00080206 sha1 7 12485744465E5A53727274796166764651415B5806080A00005B554F4E000806010101015D0C5E5E08
ipv6 ospf 1 area 2
ipv6 ospf network point-to-multipoint
!
R2:
!
ipv6 router ospf 1
router-id 11.0.2.2
auto-cost reference-bandwidth 40000
area 3 virtual-link 11.0.4.4
area 0 authentication ipsec spi 400 sha1 7 091D1C5A4D5041455355547B79777C6663754B5E465253050D0D0503565A48470B0B030604020C520B
distance ospf external 180
!
R3:
!
router ospfv3 CCIE
router-id 11.0.3.3
auto-cost reference-bandwidth 40000
distance ospfv3 external 180
area 0
authentication ipsec spi 400 sha1 password 03550958525A771B1650495445415F59527D737D7862677147524054590F090901075A564E41010107
interface Loopback0
network point-to-point
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
authentication disable
!
!
area 3
virtual-link 11.0.5.5
!
interface GigabitEthernet0/0/0/2
!
!
!
R8:
!
interface Ethernet0/0
ipv6 address 2001:11:0:18::8/64
ipv6 ospf encryption ipsec spi 300 esp aes-cbc 128 7 03550958525A771B1650495445415F59527D737D7862677147524054590F090901 sha1 7 025756085F535976141759485744465E5A53727274796166764651415B5806080A00005B554F4E0008
ipv6 ospf 1 area 2
ipv6 ospf network point-to-multipoint
!
Verification:
R8#show ipv6 ospf interface eth0/0
Ethernet0/0 is up, line protocol is up
Link Local Address FE80::A8BB:CCFF:FE00:400, Interface ID 3
Area 2, Process ID 1, Instance ID 0, Router ID 11.0.8.8
Network Type POINT_TO_MULTIPOINT, Cost: 4000
AES-CBC-128 encryption SHA-1 auth SPI 300, secure socket UP (errors: 0)
Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
Hello due in 00:00:02
Graceful restart helper support enabled
Index 1/2/2, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 5, maximum is 5
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 11.0.1.1
Suppress hello for 0 neighbor(s)
R2#show ipv6 ospf interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Link Local Address FE80::A8BB:CCFF:FE00:300, Interface ID 3
Area 0, Process ID 1, Instance ID 0, Router ID 11.0.2.2
Network Type BROADCAST, Cost: 4000
authentication NULL
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 11.0.2.2, local address FE80::A8BB:CCFF:FE00:300
Backup Designated router (ID) 11.0.3.3, local address FE80::250:56FF:FE3A:3264
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Graceful restart helper support enabled
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 12
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 11.0.3.3 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
R2#show ipv6 ospf interface ethernet 0/1
Ethernet0/1 is up, line protocol is up
Link Local Address FE80::A8BB:CCFF:FE00:310, Interface ID 4
Area 0, Process ID 1, Instance ID 0, Router ID 11.0.2.2
Network Type BROADCAST, Cost: 4000
SHA-1 authentication (Area) SPI 400, secure socket UP (errors: 0)
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 11.0.2.2, local address FE80::A8BB:CCFF:FE00:310
Backup Designated router (ID) 11.0.1.1, local address FE80::A8BB:CCFF:FE00:610
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:08
Graceful restart helper support enabled
Index 1/2/2, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 15
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 11.0.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)